Clause 10 of ISO 9001:2015 closes the QMS PDCA cycle. It’s the clause that turns audit findings, customer complaints and KPI deviations into real actions that improve the system. Without Clause 10, everything measured in Clause 9 ends up as reports nobody uses.
In this guide we explain what each sub-clause (10.1, 10.2 and 10.3) requires, how to raise and close corrective actions with proper root-cause analysis, what documents auditors ask for and the most common mistakes we see when working with companies through certification.
What you’ll find in this guide
- What does Clause 10 of ISO 9001 require?
- 10.1 General
- 10.2 Nonconformity and corrective action
- 10.3 Continual improvement
- How to implement Clause 10 in an SME
- Documents and evidence auditors ask for
- Common mistakes auditors flag
- How QualityWeb 360 makes Clause 10 easier
- Frequently asked questions
What does Clause 10 of ISO 9001 require?
Clause 10 is called “Improvement” and has three sub-clauses:
- 10.1 — General (the organization determines and selects improvement opportunities)
- 10.2 — Nonconformity and corrective action
- 10.3 — Continual improvement
In short: when something goes wrong (nonconformity), the organization must analyze root cause, take action to prevent recurrence, and verify those actions actually worked. It must also proactively seek opportunities to improve the QMS beyond fixing errors.
10.1 General
The organization must determine and select improvement opportunities and implement the necessary actions to:
- Improve products and services to meet requirements and address future needs
- Correct, prevent or reduce undesired effects
- Improve QMS performance and effectiveness
Improvements can include: correction, corrective action, continual improvement, significant change, innovation or reorganization.
10.2 Nonconformity and corrective action
When a nonconformity occurs (including those from complaints), the organization must:
10.2.1 — React and evaluate the need for action
- React to control and correct the nonconformity
- Deal with the consequences (customer, recalled product, rework)
- Evaluate the need for action to eliminate the root cause, so it doesn’t recur, by:
- Reviewing and analyzing the nonconformity
- Determining the causes
- Determining if similar nonconformities exist or could potentially occur
- Implement any action needed
- Review the effectiveness of any corrective action taken
- Update risks and opportunities determined during planning (links to 6.1)
- If necessary, make changes to the QMS
Corrective action vs correction — the classic confusion
Correction is the immediate fix (rework the product, redeliver the service, contain the lot). Corrective action is what you do to prevent recurrence: root-cause analysis + action on the system. If you only correct without corrective action, the problem will come back.
Root-cause analysis tools
- 5 Whys — the simplest, ideal for SMEs
- Ishikawa (fishbone) diagram — visual, groups causes by category
- 8D (Eight Disciplines) — structured, popular in automotive
- A3 analysis — pairs with Lean
- Reverse FMEA — for production-process nonconformities
10.2.2 — Documented information
The organization must retain documented information on:
- The nature of nonconformities and any subsequent actions taken
- The results of any corrective action
10.3 Continual improvement
The organization must continually improve the suitability, adequacy and effectiveness of the QMS. To do so, it must consider analysis and evaluation results (Clause 9.1) and the management review outputs (9.3) to determine if there are needs or opportunities to address as part of continual improvement.
The difference from 10.2: corrective actions are reactive (something failed, we fix it), continual improvement is proactive (everything works but we want to get better).
How to implement Clause 10 in an SME
Step 1 — Nonconformity and corrective action procedure
Define how an NC is recorded, who analyzes it, which root-cause tool to use, how the action is approved, who verifies effectiveness. Standard record template. Output: procedure + CA record template.
Step 2 — Train on root-cause analysis
Train process leaders in at least one tool (5 Whys or Ishikawa are the most practical for SMEs). Without this capability, corrective actions stay at “correction” level and problems recur. Output: trained staff + solved examples.
Step 3 — Corrective action tracking dashboard
Dashboard with all open CAs: status, owner, due date, effectiveness verification. Weekly/monthly review so no CA stays open indefinitely. Output: dashboard + review cadence.
Step 4 — Continual improvement plan
Each year, in the management review, identify 3-5 proactive improvement opportunities (not derived from NCs). Assign owner, deadline and evaluation. This is the proactive side of Clause 10. Output: annual continual improvement plan.
Documents and evidence auditors ask for
- Nonconformity and corrective action procedure
- Nonconformity log with nature, correction, root cause and approved CA
- Evidence of root-cause analysis (5 Whys, Ishikawa, 8D, etc.)
- Verification of effectiveness of corrective actions (not just “implemented”)
- Tracking dashboard or report of open/closed CAs
- QMS continual improvement plan with proactive initiatives
- Management review minutes with improvement decisions (links to 9.3)
- If risks were updated as a result of an NC, evidence of the risk matrix update
Common mistakes auditors flag
- Corrective actions that are just corrections — “lot was reworked” with no root-cause analysis or systemic action. Solution: every CA requires root-cause analysis + action that prevents recurrence.
- Surface-level root cause — the analysis stops at “human error” without going deeper (why did the error happen?, was the procedure clear?, was the person trained?). Solution: use 5 Whys to reach a systemic cause.
- No effectiveness verification — the CA is “closed” when implemented, not when it’s verified that the problem doesn’t recur. Solution: formal closure only after verification, typically 1-3 months after implementation.
- NCs without traceability — some NCs are logged, others “fixed in the hallway” with no paper. Solution: mandatory logging even for minor NCs; the recording culture must come from the top.
- Endless corrective actions — the system has 20 CAs open for 2 years. Solution: periodic review with escalation; CAs >90 days are escalated to management.
- Confusing CA with preventive action — since ISO 9001:2015, preventive actions are handled through risks (Clause 6.1). CA is reactive only. Solution: separate reactive (10.2) from proactive (6.1 + 10.3) conceptually.
How QualityWeb 360 makes Clause 10 easier
QualityWeb 360 is a 100% cloud platform that centralizes your entire ISO 9001 QMS. For Clause 10 specifically, it helps with:
🔧 Corrective actions
Dedicated module: NC log with root-cause template (5 Whys, Ishikawa), owner and due-date assignment, approval workflow, mandatory effectiveness verification before closure. Centralized dashboard with all CAs and their status.
🔍 Traceability for audits
Each CA is linked to its origin (complaint, audit finding, KPI deviation), its root-cause analysis, the actions taken and the effectiveness-verification evidence. When the auditor asks “was this CA effective?”, the answer is one click away.
🔁 Periodic review with alerts
The system reminds you when a CA approaches its due date and when an open CA goes past the defined SLA. Reports for the management review with all NCs in the period and pending improvement opportunities.
Frequently asked questions about ISO 9001 Clause 10
Difference between correction and corrective action?
Correction: the immediate fix — rework the defective lot, redeliver the service, contain the issue. Corrective action: analyze the root cause and act on the system so it doesn’t happen again. Both are required. If you only correct, the problem comes back.
Does every nonconformity require a corrective action?
No. Clause 10.2 says “evaluate the need for action to eliminate the cause(s)”. If the NC is isolated, with no systemic impact (e.g., a one-off mistake by a trained operator), correction alone is enough. If it’s recurring or high-impact, then a CA with root-cause analysis is required. The evaluation must be documented.
Which root-cause tool is best?
There’s no “best” — it depends on complexity. For SMEs, 5 Whys is the most practical: fast, requires no deep training, reaches a systemic cause in most cases. Ishikawa adds visual structure and categorization. 8D is standard in automotive but overkill for many SMEs.
How long should we wait to verify effectiveness?
Depends on the problem. For recurring production NCs, 1-3 production cycles after CA implementation lets you see whether the frequency dropped. For service NCs, 1-3 months is typical. What matters is having evidence the problem didn’t recur or was significantly reduced.
Do preventive actions still exist?
Not as a formal term. Since ISO 9001:2015, “preventive actions” were merged into risk management in Clause 6.1. The logic: if you identify a risk and act to prevent it, that replaces the traditional preventive-action concept. What matters is still thinking proactively, now under the risk framework.
How do I demonstrate “continual improvement” in the audit?
With documented evidence of proactive initiatives: annual continual improvement plan with identified projects, KPIs showing year-over-year improvement, management review decisions pointing at improvement opportunities, Kaizen or similar projects. The improvement doesn’t have to be dramatic — small, documented, consistent improvements are enough.
What if a CA isn’t effective?
Reopen the analysis, dig deeper into root cause (the first one probably didn’t reach the bottom) and replan the action. This is valid and expected — auditors value seeing that the organization learns when a CA fails, rather than artificially closing it and hoping no one notices.
📚 Keep exploring the ISO 9001 clauses: